I was scared of this subject when it first came along. I resisted. But finally I threw myself into it. It absolutely must be understood at some level to get what’s going on in the digital sphere today.

Cryptography is IMHO, the most important subject that liberty lovers can learn today. Bitcoin, bittorrent, PGP, even this website, all require cryptography at their core to work, otherwise we can’t keep any secrets from anyone at all.

For those of you new to crypto, and are looking for a little inspiration, I highly recommend reading about the history of the Cypherpunks. It’s an incredible history spanning back to the 70’s, it involves interesting people like Julian Assange and corporate CEOs, and most of the security spin-offs like SSL, bittorrent, and bitcoin come directly from cypherpunks without so much as a single thank-you in the press.

I tried to take the Stanford course, but limited time and limited advanced math skills prevented me from completing it. I may try the Khan Academy series mentioned below to see if it is more accessible.

The stanford course is advanced. You pretty need to go in with an understanding of hash functions, block ciphers, stream ciphers, public key crypto etc. That course is for learning how they all work under the hood.

If you learn the basics first, then come back to that course, you will learn a lot.

yeah i tried stanford too, stopped at the Udacity course, but ended up skipping a lot of maths. i dont know if its worth it, i just wanted to understand bitcoin, and build something with it. probably ill get back to crypto soon.

see i saw this forum and it immediately helps to see poeple interested in the same topics. can someone redirect to a place where i can take the ideas of security further to the OS and application levels? im a electrical engineer so i dont mind some advanced stuff.

Certainly a topic that is worth understanding (at least the basics). The problem with actually putting it into practice is that not only you, but everyone with whom you communicate must be (not just vaguely, but) competent in its use. As much as I love granny, I just can’t see her making proper use of PGP. There are far too many breaks in the security chain, foremost among them being the method of trading keys. Sending them through an unencrypted email account? Defeats the whole purpose!

This is why I’m intently watching Ladar Levison and the DarkMail project.

> There are far too many breaks in the security chain, foremost among them being the method of trading keys. Sending them through an unencrypted email account? Defeats the whole purpose!

Unless I misunderstand the function of double-key cryptography, my public key can be safely handed off to anyone – we used to post them to usenet. It enables someone to encrypt something that only I can decrypt, and it can be used to verify that I was the actual author of a message and that it has not been altered since I signed it, but it won’t help anyone decrypt anything. For them to decrypt it, I’ve got to use their public key when I encrypt the message.

You are correct when it comes to PGP and RSA protocols. I was thinking more along the lines of one time pad (OTP) which is being used by the Privus project currently seeking funding on Kickstarter.

Apparently OTP is supposed to be uncrackable for all intents and purposes. Its biggest flaw is that the key has to be kept private which means that the hand-off has to be face-to-face in order to ensure full security.

Yes, a one time pad is said to be the absolute top end in security – as long as only 2 copies of that pad exist, and they’re kept physically secure. If that’s what you’re talking about, you’re quite right – the only secure method of transmittal of that pad would be a courier – once it is accessible to any other person, it stops being secure, and any electronic transmission is, by definition, insecure. I wonder why the Privus people think they can make it work.

The concept of a One Time Pad is simple. Let’s say I want to encrypt the message

“hi”

A OTP uses a key that is at least as long as the message it is trying to encrypt, so in this instance it would be 2 numbers long. Now let’s pretend that my OTP key was “1-2” and each number corresponds to a shift in the alphabet of its respective letter (the first number is paired with the first letter, second with the second, and so on).

i.e. “h” (first letter) shifted by 1 would be “i” and “i” (second letter) shifted by 2 would be “k”

After encrypting “hi” with the OTP “1-2”. You would get “ik”. So it seems simple enough to reverse this, right? All you have to do is a bunch of shifts backwards until you get “Hi”! Well, it’s not that simple because you have no way of telling if you have discovered the original message. For example:

The original message could have been “yo” and the OTP could have been “10-22” and it still would have turned out to be “ik”

or the original message could have be “of” and the OTP could have been “20-5” and it still would have turned out to be “ik”

or the original message could have be “an” and the OTP could have been “8-23” and it still would have turned out to be “ik”

So as you can see, when you are trying to decrypt it, without knowing the key, there is no way to know what was originally said. The problem with implementing this in an application is that the key needs to (1) be shared and (2) be stored, both of which open it up to the same vulnerabilities as the less secure algorithms used to transmit or protect the OTP key.

Daniel Shiner, who should be joining L.Me soon, mentioned to me an interesting talk or paper that predicted that as we begin to integrate with technology more and more, electronic viruses and malware will become as detrimental to us as biological viruses and bacteria, and using cryptography will become as second nature to us as washing our hands or covering our mouths when we cough.

One fairly painless method of learning about cryptography (which is much easier than learning how to create cryptographic systems) is Neal Stephenson’s novel _Cryptonomicon_, which tells the tale of a cryptographer during WW II, among others. Fiction, but awfully well-researched.

I really don’t think that most people should get bogged down in the details of how cryptography works. Odds are (unless you are a cryptographer), you will never have the time or energy to really figure out what’s going on with cutting edge cryptography.

What EVERYONE should know is the how to apply cryptography to secure their data. People need to know which algorithms are strong and which are weak, when is the best time to use AES and when is the best time to use ECC, etc.

I’ve been meaning to snag a copy of Applied Cryptography since reading Carry On a couple months back. It has rave reviews on Amazon and from what I’ve heard is the best introductory text available for the subject.

How can you resist when it has reviews like this:
“The book the National Security Agency wanted never to be published.” -Wired Magazine